MySQL Question

[nepzap2]

When I try to submit text that uses single quote ' and double quote " or a combination of both  I receive this error You have an error in your SQL syntax near ''"'' WHERE id = 171' at line 35.

 

Does anyone know what this means and if there is any way to avoid this.

 

Thanks

[Philip]

You need to escape those characters before placing them into a query.

 

Take a look at mysql_real_escape_string

[Maq]

You should be invoking mysql_real_escape_string on the input.  That will escape the quotes.

 

EDIT: KP beat me to it.

[nepzap2]

Thank you guys. That pretty much solved my issue. I took Maq's suggestion like so: 

 

mysql_real_escape_string($_POST['laboratoryExperience']), 
mysql_real_escape_string($_POST['researchExperience']), 
mysql_real_escape_string($_POST['personalStatement']), 
mysql_real_escape_string($_POST['resume'])

 

So can this function pretty much escape any characters?

[Mchl]

Any characters that might break MySQL query.

[Maq]

Thank you guys. That pretty much solved my issue. I took Maq's suggestion like so: 

 

mysql_real_escape_string($_POST['laboratoryExperience']), 
mysql_real_escape_string($_POST['researchExperience']), 
mysql_real_escape_string($_POST['personalStatement']), 
mysql_real_escape_string($_POST['resume'])

 

So can this function pretty much escape any characters?

 

It's all in the manual.

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

[ignace]

Also mentioned in the manual:

 

Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier  isn't defined, the last MySQL connection is used.